Markup Escaping Disabled

Description

Disabling markup escaping can lead to XSS attacks by allowing an attacker to inject malicious HTML entities into a web page.

javascript

const Mustache = require('mustache');
Mustache.escape = function(text) { return text; };

javascript

const Mustache = require('mustache');

Enable markup escaping for user-controlled input in Mustache templates.

Field	Value
ID	CODE-0201
Category	Injection
Severity	MEDIUM
CWE	CWE-79
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	XSS, Template Engine
OWASP	A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection